Your systems have been breached, sensitive information stolen, and now there is a demand for ransomware payment in the form of a text file on your desktop. After the initial panic subsides, very important questions arise: what should I do now that it has happened? To pay or not to pay? An attack like this will cause financial and reputational damage, but are there any legal ramifications? Should I pay and have my data sold to the highest bidder anyway, or not pay and risk it being made public? What should I do?
What is ransomware?
Ransomware is a type of malicious software (malware) used by threat actors to extort you by threatening to publish and preventing access to sensitive data. This is most often done either by locking you out of your machine or encrypting files on it. Based on that distinction, there are two main types which you should be aware of:
- Locker/screen locker ransomware – malware which locks you out of your system or parts of it, but does not encrypt the files on the computer. This usually takes the form of a full-screen picture purporting to be from the MI5 or FBI displayed as soon as your machine starts, advising that it’s locked down and urging you to call the provided number. This of course is not a real helpline and will lead to further extortion attempts by the operators. This is the less impactful of the 2 kinds of ransomware, as once the lock screen is disabled, all the files are still intact.
- Encrypting/crypto ransomware – malware which encrypts some or all of the data on the device and then displays a ransom note demanding payment within a specified time. If the payment demands are not met, it usually threatens all of the encrypted files will be either deleted or left permanently encrypted, essentially making them useless. The data that was encrypted is also extracted by the attackers with the intent of selling it to the highest bidder. This kind of malware infection can be very scary as it tends to spread fast to all machines on the network unless stopped in time.
Regardless of which type of ransomware you are a victim of, all ransomware infections follow a similar pattern of execution, which the National Cyber Security Centre (NCSC) sums up in 3 points:
- Access – attackers gain access to your network, establish control and plant ransomware. They can also copy your data and threaten to leak it.
- Activation – ransomware is activated, locking devices and causing network-wide data encryption, so you lose all access to it.
- Ransom demand – an on-screen notification is usually displayed after the encryption stage, explaining the ransom and how to pay it. Usually, it’s done using anonymous web pages and cryptocurrency.
How should I respond to a ransomware attack? Should I pay?
Ransomware infections are extremely stressful for businesses because of the impact they can be both short-term (loss of critical business assets and data until resolved) and medium- to long-term (loss of reputation, business, and legal troubles). Because of this, you need to be aware and prepared to act in case it happens, so as not to make costly mistakes.
- DO NOT pay the ransom – although it might seem like the fastest way out, you have no guarantee that the attacker will actually decrypt your systems after you meet the ransomware demands. Your data is no longer in your control so can be leaked online or sold to the highest bidder, and it usually is. What also happens is a “double extortion” – an attacker will demand ransom to decrypt your machine. After the ransom is paid, they then demand more money to not leak the stolen data. Both NCSC and ICO (Information Commissioner’s Office) do not condone and advise against ransom payments. This only encourages the attacker to target you or someone else again.
- Do not turn off any affected machines – the majority of ransomware “lives” and stores critical data in the machine’s RAM, or temporary memory. This gets wiped every time you turn the computer off. To prevent any additional loss of encrypted data, keep all affected devices turned on.
- Take all systems offline – it’s important to not let the attack get worse than it already is. In the majority of cases, ransomware spreads on the network by abusing the implicit trust given to internal systems by network admins. A lot of ransomware is also remotely operated, so requires a human on the other end to start the encryption process manually. If you turn off access to the Internet, you essentially cut off the criminals’ ability to start the encryption process on more devices.
- Disable backups – in case you have automatic backups set up on any of the affected systems, turn them off until you are sure the ransomware is completely removed from your network. If you don’t and ransomware gets saved in a backup, at best your machine will get re-encrypted after you restore your data from the backup, while at worst your backups will get encrypted themselves and prevent any restoration measures.
- Perform Incident Response – if you have not already, engage your Incident Response team to establish how the attacker entered your network, which systems are impacted, and start removal and data restoration efforts on affected devices. If you do not have the capacity to do this on your own or require specialist help, Aspire Security Operations Centre’s Incident Response Team is available 24/7/365 to support you in determining the cause of the infection, getting rid of all ransomware traces, and preventing future attacks. You can contact them here.
- Disclose it – under GDPR, you are legally liable for any loss of control of your customer or employee data, and an attacker leaking or selling their personal information after a ransomware attack falls under this category. It is important you contact the relevant authorities in a timely manner in order to prevent costly fines and potential legal action.
Which authorities should I contact following a data breach?
With the number of laws concerning data storage and handling, it can get confusing as to who should be contacted. Below is a comprehensive list with time frames for disclosure if applicable. Please note: if there is any risk of harm to people’s lives, violence has occurred or been threatened, or serious damage has been caused to any property as a result of a cyber incident, you need to first contact emergency services on 999.
- National Cyber Security Centre (NCSC) – it is best to report a cyber incident as soon as you have been made aware of it. NCSC can offer you assistance and confirm that you have taken steps to disclose and remediate the breach. A report should be filed with them if client, customer, or employee data is affected, software, firmware or hardware was impacted, or personal data has been tampered with. These reports are monitored 24/7 and assessed as soon as possible. Their disclosure form is available here.
- Action Fraud – if a live incident is underway, you can contact them on 0300 123 2040 and press 9, which will take you to the priority reporting service. Your incident will be triaged on the phone and passed to the National Fraud Intelligence Bureau for investigation, potentially advising your local law enforcement if necessary. You will be kept in the loop about the status of your report. This service is available 24/7 as well.
- Information Commissioner’s Office (ICO) – according to GDPR you are legally obligated to disclose any incidents affecting personal data within 72h of discovery and without undue delay. You will need a timeline of events, a completed risk assessment, and what you’ve done to contain the breach. You do not need to have all the information, but you have to advise the ICO of the breach within the 72h period. The best way to report to the ICO is to contact 0303 123 1113 (only works Monday-Friday, 09:00-17:00), however, you can also report online. ICO also provides a quick guide on submitting a proper report here. It’s worth noting that if any other laws are applicable to you (eIDAS, PECR, NIS), you need to disclose a breach within 24h.
If you are still unsure if the above applies to your business or want to double-check your plan to be safe, NCSC provides a guidance service called the Cyber Incident Signposting Service (CISS) available here. It asks a few key questions and suggests the best authorities to contact based on your answers.
What are the possible ramifications of a ransomware attack?
You already know who you need to contact and how to act if you become a victim of ransomware, but what is the possible impact on your business?
First and foremost, due to the nature of ransomware, your business operations will be disrupted. Some or all of your machines will be encrypted, losing you the most recent data, which can include client transactions, HR documentation and personnel files, or legal documents. If a critical asset is impacted or thought to have remnants of the infection still on it, it will have to be brought offline for remediation. This can be devastating in the short term and can cause breaches in Service Level Agreements, disgruntled clients, and a disproportionate workload for your technology department.
Afterwards comes reputational damage from inevitable media coverage and legally required client disclosures. Loss of client trust is a big problem following a ransomware infection, and it is not regained easily. If any critical data is stolen, your company will be less likely to receive business due to fears of this happening again in the future. This directly impacts revenue, causing further impacts to your company and future business opportunities.
Finally, financial penalties are the biggest impact to your business in the long term. These are most often issued by the ICO and can range from £8.7mln or 2% of total annual turnover (whichever is higher), to £17.5mln or 4% of total annual turnover (whichever is higher). Keep in mind the penalties are assigned on a case-by-case basis as a dissuasion measure, so can be lower or higher if deemed necessary. Such penalties can be devastating for a business following the loss of revenue from clients leaving and missed business opportunities.
Examples of previous attacks
WannaCry, launched in May 2017, managed to infect multiple NHS systems in England and Scotland, as well as hundreds of thousands of machines worldwide. The ransomware would encrypt the target machine and quickly spread throughout the network infecting as many devices as possible. Decryption keys for the affected organisations were stored on servers under attackers’ control, preventing local decryption efforts. Apart from the disruptions it caused to the health service operations, the cost in damages was roughly £92mln for the NHS alone. The ransom demanded was $300-$600 per system. Worldwide, the total cost of damages is estimated in the hundreds of millions to billions of dollars.
REvil came onto the ransomware scene in 2019, popularising the ransomware-as-a-service (RaaS) model of operation. This is a business model in which a less advanced attacker pays to use read-made ransomware to execute their attack. “Operators” offer different subscription models to “affiliates,” ranging from flat rates to percentage cuts of the ransom payments. Operators were even known to contact victims on affiliates’ behalf. This has become a very popular model of ransomware operations in recent years. The biggest ransom demands REvil sent ranged from tens to hundreds of millions of dollars.
More recently, the ICO issued its first fine for GDPR breaches as a direct result of a ransomware attack in 2022. A solicitor LLP has been fined £98,000 for failing to patch their systems in time and failing to adequately secure them back in 2020. This fine set a precedent for future punishments as well, in that fines are more severe should a compromise not be reported to them in time. The best course of action is to never let a breach like this happen, as financial and reputational costs are substantial.